man fbtab - will tell you the details about temporarily assigning ownership of devices based on login ttys. On my laptop, X11 gets the ttyC5. So, I can control the device ownership based on that. I don't know how useful this is though because we already have matchdep.allowaperture = 1 setting in /etc/sysctl.conf using which we can assign more privileges to Xorg.
–
SalilOct 21 '12 at 0:44

1 Answer
1

Let's also assume that you are running a web server on with sensitive data (owner is user 'www') in it and your desktop user has permission to work (read, write, execute) in that directory.

But for everything you intend to do on the desktop like mailing, listening to music, messaging or browsing has nothing to do with these files. Now GUIs want to make everything simpler, faster and overall more comfortable, so a misclick in Nautilus, Konqueror or some other file manager can accidentally delete a file, a misclick might even send data as an email attachment over the internet, you could accidentally share a file over the network etc. - all these dangers are one click away in graphical desktop environment whereas on the command line you would issue a command name with the fitting arguments for the same effect.

You could now use /etc/fbtab to let login tell chmod to make that directory readonly for the owner, so none of your desktop users can accidentally delete anything, even though they are permitted to work in that directory when using the command line and only the owner 'www' (which should not have desktop access anyway) can read it:

/dev/ttyC5 0400 /home/user/apache13/www/

Example 2: Sensitive data for a local project only

Let's assume that you are working on a project with colleagues, who all have permission to log into your X11 desktop with their accounts. But they are supposed to only have access to the directory with your project in it via X11, because they are not very experienced with the command line and might unintentionally do something wrong, so you have the permissions very restrictive for that directory.

This entry changes it to rwx rwx r-x for X11:

/dev/ttyC5 0775 /www/groupproject

Example 3: USB and floppy storage as backup disks

You want to restrict access to usb storage on /dev/wd0 and /dev/wd1 as well as floppy disks on /dev/fd0, because they are used for backup only.